Analysis

  • max time kernel
    96s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-06-2023 10:33

General

  • Target

    http://calcpcb.hasil.gov.my

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" http://calcpcb.hasil.gov.my
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" http://calcpcb.hasil.gov.my
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.0.495030507\1948533226" -parentBuildID 20221007134813 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97dadf21-6c68-4d98-be64-63d6140bc84f} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 1916 23a35c19558 gpu
        3⤵
          PID:1428
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.1.1512236854\721763942" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {425f3b5a-bfc3-487e-8018-1cff0d41f537} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2424 23a27c72858 socket
          3⤵
            PID:4696
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.2.870223228\1432671504" -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2796 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04453371-e2e7-4263-995c-70220d3102d4} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2980 23a38b0e458 tab
            3⤵
              PID:3816
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.3.816150113\645053342" -childID 2 -isForBrowser -prefsHandle 3992 -prefMapHandle 3988 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5415004b-b2e7-4d18-92a0-cf51963fb212} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 4004 23a39873858 tab
              3⤵
                PID:2512
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.4.1366157813\1381267335" -childID 3 -isForBrowser -prefsHandle 4832 -prefMapHandle 4828 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3af032ec-cb37-43a4-bdfb-feac3c65939a} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 4716 23a3b6d4158 tab
                3⤵
                  PID:3208
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.6.246240094\472170995" -childID 5 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2678e32e-a834-49b5-a41d-6957bcb971da} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 5260 23a3b6d6858 tab
                  3⤵
                    PID:3172
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.5.1137336157\382455788" -childID 4 -isForBrowser -prefsHandle 5104 -prefMapHandle 5100 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9de99dba-28f9-41e5-be5c-bf0e82fa8abb} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 5112 23a3b6d5658 tab
                    3⤵
                      PID:2948

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp

                  Filesize

                  143KB

                  MD5

                  082558e90de44badee85037ef7d20ce5

                  SHA1

                  42802e31bd3af5ee5203739c2f96265165ff042f

                  SHA256

                  bc94f5bad179f94a14ad4bfcb7943acc1b6ef7de6a1c6ed4eabe9865f723e0ea

                  SHA512

                  cd6102fd2fcab0307a1bae1b6a125d41aacdc35d865bb8a84d4ed4c77b71417b98ee56e94cfa7471fc7c757e7a0ad1a6d14de1f3d47325dcc21641ca1df8d8a5

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\195576DF92B9C9698555571D55CF75B0700793C3

                  Filesize

                  5KB

                  MD5

                  12b3c98b1207bfb312157dcaadf36616

                  SHA1

                  6fba432b71a84abc48b66e60ccb3e190e4fc40bf

                  SHA256

                  7284ab5bb7905294ae9c19341dc5d02391134a6e254f9c6880c8e6bc20e44ec5

                  SHA512

                  5f1946153a2565853c578f8ea4f08ad8abafee14213b397b07d9bffaf738031a46a8a9b20f4fba2aa4eb69d405bad44afd55d96d9237f62cab176b83bc35cb52

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\798941A17B06B3929085FE3F5407B44C40D096E7

                  Filesize

                  235KB

                  MD5

                  02adf75c7a04a1e1e06151ad3205a45c

                  SHA1

                  06850612933f7adc2e8a9cfd0032b434b7ea7ec0

                  SHA256

                  81703dc8e8c1c28822cf95372b383917758cda5052b32704cb56d22cc661b1bc

                  SHA512

                  ad938e68c324448750534a1b4f686b5455c3e9909475c7e4dde122257686ec71e4f1e2b4284ce24b0cbab8f29e7748e77437eb84811df86f58ba3908a6e817b8

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\F708EF6C09E50BA07D9CC5BE40AC6EBC6158B0C7

                  Filesize

                  337KB

                  MD5

                  45582ae8c307174bf4d5e19808d923ea

                  SHA1

                  ddd95765cff5dfdd3c9684f0a86120e3d683e313

                  SHA256

                  ff29617c78fa61e338b667f9f944603062419ffe59e7395b7dcd4f6accf1035d

                  SHA512

                  097c497c9ed467ca69a5eb89cd79d28442c07e3d02d4ccd6e3b7ffc9b42da23080b2e77f7f9d351a10324b1242bad39f266ca2c324a57bd0df8378256e21691e

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\FC661F60E4EC9901EA61B1C2A56216148F9CACC2

                  Filesize

                  97KB

                  MD5

                  262f067a1e15df1e2a0b69e7ef80f51e

                  SHA1

                  d8b79199210a04b880a798a63b6665c6d6e7c0a8

                  SHA256

                  93bfe3542c10140fcdeb892cf6f75549ad076d41f8684449a153c04962164d10

                  SHA512

                  447a2c4ceb614c48b2406adf1bee6b969f557fd6c894831c3fc314c983c390ce10d997b35ada3f94f4764f165b00473e6b83e41afbea00e33f0bbd3fa46ae6f0

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\safebrowsing-updating\ads-track-digest256-1.vlpset

                  Filesize

                  54KB

                  MD5

                  4f9ef3d3a71d4cb49e623e3f4b7b1162

                  SHA1

                  c2d65973b44b051d043475e9387fa7100514acbd

                  SHA256

                  48ae004f3c542ac764dd5a1e894918ec4b250b5c1f7209256c191cae13106b1f

                  SHA512

                  f7017204ad37ceedbff4e8b58ab4edac75748d2f36693e59ea9d9157f637d29b53c6405d994ac9fc62712f2574013e95c4817ff49229c78dcc23cac805b13ed7

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

                  Filesize

                  6KB

                  MD5

                  50c9957420e05f53f3bd8fa1ac5e9ec0

                  SHA1

                  642450a3ed6ef2d6f3d6075177a36e5c524caccf

                  SHA256

                  d3aaf504b89e42240d8da77e8b99debd24a590f2e5bb78d509f854dacfceefb4

                  SHA512

                  8a075098e002bc2c2da5ebfa35da53f48f7fef7e1a584f4b570b57c511d05aaaf4146ee6f1cf18025a720b23d2a3928f913ff65bf0d8deab32ca21eeececb08f

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

                  Filesize

                  7KB

                  MD5

                  c33c16e7fd3e50f1eceb20253d9acaba

                  SHA1

                  84ddf485538ef17d3a0817c7b1b2214222f69f6f

                  SHA256

                  393779f75bee4649daacf47d0a2751e81e497f42f5b595f4d8ee078b32b92922

                  SHA512

                  e818bcc0003d8ec9f2bc58d0aaed15655456efface2bc9aebf5054aa205c6e886a577dd4c4dcef8afab55895da80af1073a3073e8341036a3d3f8c71d610ef40

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

                  Filesize

                  2KB

                  MD5

                  bada2fe212cda5e4eca7f170ca12e1af

                  SHA1

                  801cd10bc271384f07b41d1760b4b3a9e40d671b

                  SHA256

                  a075115b3be7e715c282c784902d3ffee5d5ee4ff4577632a016423bb9f39b92

                  SHA512

                  fdac43141e1f86e7ef1b579a80a13c991623637424c259a90ed2e4970576d35da7b26f160556c0fac3131463c45172789a1d585a65e78a702f9591f347d2896e

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

                  Filesize

                  3KB

                  MD5

                  870084718cb6367f2e48bfa38eef9d30

                  SHA1

                  ed96cb13344c5d943f46580b68f098eb6539ec10

                  SHA256

                  31b1a46da358c02bf2c2e9be375bfd95e5366ce9ce5fc53657785da273b21d5d

                  SHA512

                  b3b2a5e241d1e2f2633e936a7117b7d25355c763cf51dcc70d0a58564b488e33e4ca20a1e7c3206dc7d339a82c60eba82a5d3fb3e1d41838c7b0c71d70d5a85e

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

                  Filesize

                  2KB

                  MD5

                  62f3d1b180c7062d66dfa0d26d00ffd9

                  SHA1

                  80b1ac8ea2117a2bb75e24b0357eaaddcd930451

                  SHA256

                  9794f9c21ad3999bc5843e71ee9df4987cfd152563a584a48b5185e9d9f1af64

                  SHA512

                  96eaf90b4862b11725bc9aca11ae92d0121232771115f3255df61093872bbb3db88d913102915011c8f3dbfde3d2a122d06686141bb36de5de74c566957d4bcf

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

                  Filesize

                  1KB

                  MD5

                  b9de2ff2912e359fecedad9611316613

                  SHA1

                  5a52275b2e9040bbf3407f26179fefea0047c7db

                  SHA256

                  fcac47f8a4f82eb94f5af10ef603e523448c683fff2ff37a81ed9cd819de3290

                  SHA512

                  573d9a05d45ee57c04e576399a96fd1731fce643723d685e1d0b2b9cbc05228f10251741cd1ef4c1f7b148ca58c583ccda8a0e4d36a15ef86eecb7ff0b8dfa95

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

                  Filesize

                  1KB

                  MD5

                  fb832a73e62311f57632fe33796f998d

                  SHA1

                  85bfe59495dee4c796643dd08c8e9ff032ef802f

                  SHA256

                  715c22f23a9c3aa69ac5990858727f42619fc3594be82674ceaccccc05b8ac5d

                  SHA512

                  1890f7de3b2964a94cc9e5ba79aab715b366914d3ccaed21960bcc20dba37f80fd0054f610ec27ef650f8fa82dda02f8c41685ced779869b7f965b0515367ec8

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

                  Filesize

                  1KB

                  MD5

                  a3a783dae8a59ecb6fb7afc9740802e7

                  SHA1

                  719e6d394e8509c296af9282ddb2e98d6cd3e75d

                  SHA256

                  adf82ea661b4b6082ff7a59a5c6353c87bed145716a6d6f9f959a81a9c9ef7a4

                  SHA512

                  6e52f3062b25624aeb6659b1a6daa034695b08f52b2ce3c7c5837c2ba0c569b24fd5e2b2b6b9f34819ef88906db275d8769693f9a0e3618e84c1c8cac57e31a1